xref: /freebsd/contrib/wpa/src/tls/tlsv1_client_read.c (revision 63a938566d524836885917d95bd491aa4400b181)
1 /*
2  * TLSv1 client - read handshake message
3  * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/tls.h"
16 #include "x509v3.h"
17 #include "tlsv1_common.h"
18 #include "tlsv1_record.h"
19 #include "tlsv1_client.h"
20 #include "tlsv1_client_i.h"
21 
22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
23 					   const u8 *in_data, size_t *in_len);
24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
25 					   const u8 *in_data, size_t *in_len);
26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
27 					 const u8 *in_data, size_t *in_len);
28 
29 
30 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
31 				    const u8 *in_data, size_t *in_len)
32 {
33 	const u8 *pos, *end;
34 	size_t left, len, i;
35 	u16 cipher_suite;
36 	u16 tls_version;
37 
38 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
39 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
40 			   "received content type 0x%x", ct);
41 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
42 			  TLS_ALERT_UNEXPECTED_MESSAGE);
43 		return -1;
44 	}
45 
46 	pos = in_data;
47 	left = *in_len;
48 
49 	if (left < 4)
50 		goto decode_error;
51 
52 	/* HandshakeType msg_type */
53 	if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) {
54 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
55 			   "message %d (expected ServerHello)", *pos);
56 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
57 			  TLS_ALERT_UNEXPECTED_MESSAGE);
58 		return -1;
59 	}
60 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello");
61 	pos++;
62 	/* uint24 length */
63 	len = WPA_GET_BE24(pos);
64 	pos += 3;
65 	left -= 4;
66 
67 	if (len > left)
68 		goto decode_error;
69 
70 	/* body - ServerHello */
71 
72 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len);
73 	end = pos + len;
74 
75 	/* ProtocolVersion server_version */
76 	if (end - pos < 2)
77 		goto decode_error;
78 	tls_version = WPA_GET_BE16(pos);
79 	if (!tls_version_ok(tls_version)) {
80 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
81 			   "ServerHello %u.%u", pos[0], pos[1]);
82 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
83 			  TLS_ALERT_PROTOCOL_VERSION);
84 		return -1;
85 	}
86 	pos += 2;
87 
88 	wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s",
89 		   tls_version_str(tls_version));
90 	conn->rl.tls_version = tls_version;
91 
92 	/* Random random */
93 	if (end - pos < TLS_RANDOM_LEN)
94 		goto decode_error;
95 
96 	os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN);
97 	pos += TLS_RANDOM_LEN;
98 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random",
99 		    conn->server_random, TLS_RANDOM_LEN);
100 
101 	/* SessionID session_id */
102 	if (end - pos < 1)
103 		goto decode_error;
104 	if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
105 		goto decode_error;
106 	if (conn->session_id_len && conn->session_id_len == *pos &&
107 	    os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) {
108 		pos += 1 + conn->session_id_len;
109 		wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session");
110 		conn->session_resumed = 1;
111 	} else {
112 		conn->session_id_len = *pos;
113 		pos++;
114 		os_memcpy(conn->session_id, pos, conn->session_id_len);
115 		pos += conn->session_id_len;
116 	}
117 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id",
118 		    conn->session_id, conn->session_id_len);
119 
120 	/* CipherSuite cipher_suite */
121 	if (end - pos < 2)
122 		goto decode_error;
123 	cipher_suite = WPA_GET_BE16(pos);
124 	pos += 2;
125 	for (i = 0; i < conn->num_cipher_suites; i++) {
126 		if (cipher_suite == conn->cipher_suites[i])
127 			break;
128 	}
129 	if (i == conn->num_cipher_suites) {
130 		wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
131 			   "cipher suite 0x%04x", cipher_suite);
132 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
133 			  TLS_ALERT_ILLEGAL_PARAMETER);
134 		return -1;
135 	}
136 
137 	if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) {
138 		wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different "
139 			   "cipher suite for a resumed connection (0x%04x != "
140 			   "0x%04x)", cipher_suite, conn->prev_cipher_suite);
141 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
142 			  TLS_ALERT_ILLEGAL_PARAMETER);
143 		return -1;
144 	}
145 
146 	if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
147 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
148 			   "record layer");
149 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
150 			  TLS_ALERT_INTERNAL_ERROR);
151 		return -1;
152 	}
153 
154 	conn->prev_cipher_suite = cipher_suite;
155 
156 	/* CompressionMethod compression_method */
157 	if (end - pos < 1)
158 		goto decode_error;
159 	if (*pos != TLS_COMPRESSION_NULL) {
160 		wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected "
161 			   "compression 0x%02x", *pos);
162 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
163 			  TLS_ALERT_ILLEGAL_PARAMETER);
164 		return -1;
165 	}
166 	pos++;
167 
168 	if (end != pos) {
169 		/* TODO: ServerHello extensions */
170 		wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the "
171 			    "end of ServerHello", pos, end - pos);
172 		goto decode_error;
173 	}
174 
175 	if (conn->session_ticket_included && conn->session_ticket_cb) {
176 		/* TODO: include SessionTicket extension if one was included in
177 		 * ServerHello */
178 		int res = conn->session_ticket_cb(
179 			conn->session_ticket_cb_ctx, NULL, 0,
180 			conn->client_random, conn->server_random,
181 			conn->master_secret);
182 		if (res < 0) {
183 			wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback "
184 				   "indicated failure");
185 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
186 				  TLS_ALERT_HANDSHAKE_FAILURE);
187 			return -1;
188 		}
189 		conn->use_session_ticket = !!res;
190 	}
191 
192 	if ((conn->session_resumed || conn->use_session_ticket) &&
193 	    tls_derive_keys(conn, NULL, 0)) {
194 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
195 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
196 			  TLS_ALERT_INTERNAL_ERROR);
197 		return -1;
198 	}
199 
200 	*in_len = end - in_data;
201 
202 	conn->state = (conn->session_resumed || conn->use_session_ticket) ?
203 		SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE;
204 
205 	return 0;
206 
207 decode_error:
208 	wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello");
209 	tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
210 	return -1;
211 }
212 
213 
214 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
215 				   const u8 *in_data, size_t *in_len)
216 {
217 	const u8 *pos, *end;
218 	size_t left, len, list_len, cert_len, idx;
219 	u8 type;
220 	struct x509_certificate *chain = NULL, *last = NULL, *cert;
221 	int reason;
222 
223 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
224 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
225 			   "received content type 0x%x", ct);
226 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
227 			  TLS_ALERT_UNEXPECTED_MESSAGE);
228 		return -1;
229 	}
230 
231 	pos = in_data;
232 	left = *in_len;
233 
234 	if (left < 4) {
235 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
236 			   "(len=%lu)", (unsigned long) left);
237 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
238 		return -1;
239 	}
240 
241 	type = *pos++;
242 	len = WPA_GET_BE24(pos);
243 	pos += 3;
244 	left -= 4;
245 
246 	if (len > left) {
247 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
248 			   "length (len=%lu != left=%lu)",
249 			   (unsigned long) len, (unsigned long) left);
250 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
251 		return -1;
252 	}
253 
254 	if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE)
255 		return tls_process_server_key_exchange(conn, ct, in_data,
256 						       in_len);
257 	if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
258 		return tls_process_certificate_request(conn, ct, in_data,
259 						       in_len);
260 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
261 		return tls_process_server_hello_done(conn, ct, in_data,
262 						     in_len);
263 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
264 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
265 			   "message %d (expected Certificate/"
266 			   "ServerKeyExchange/CertificateRequest/"
267 			   "ServerHelloDone)", type);
268 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
269 			  TLS_ALERT_UNEXPECTED_MESSAGE);
270 		return -1;
271 	}
272 
273 	wpa_printf(MSG_DEBUG,
274 		   "TLSv1: Received Certificate (certificate_list len %lu)",
275 		   (unsigned long) len);
276 
277 	/*
278 	 * opaque ASN.1Cert<2^24-1>;
279 	 *
280 	 * struct {
281 	 *     ASN.1Cert certificate_list<1..2^24-1>;
282 	 * } Certificate;
283 	 */
284 
285 	end = pos + len;
286 
287 	if (end - pos < 3) {
288 		wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
289 			   "(left=%lu)", (unsigned long) left);
290 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
291 		return -1;
292 	}
293 
294 	list_len = WPA_GET_BE24(pos);
295 	pos += 3;
296 
297 	if ((size_t) (end - pos) != list_len) {
298 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
299 			   "length (len=%lu left=%lu)",
300 			   (unsigned long) list_len,
301 			   (unsigned long) (end - pos));
302 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
303 		return -1;
304 	}
305 
306 	idx = 0;
307 	while (pos < end) {
308 		if (end - pos < 3) {
309 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
310 				   "certificate_list");
311 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
312 				  TLS_ALERT_DECODE_ERROR);
313 			x509_certificate_chain_free(chain);
314 			return -1;
315 		}
316 
317 		cert_len = WPA_GET_BE24(pos);
318 		pos += 3;
319 
320 		if ((size_t) (end - pos) < cert_len) {
321 			wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
322 				   "length (len=%lu left=%lu)",
323 				   (unsigned long) cert_len,
324 				   (unsigned long) (end - pos));
325 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
326 				  TLS_ALERT_DECODE_ERROR);
327 			x509_certificate_chain_free(chain);
328 			return -1;
329 		}
330 
331 		wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
332 			   (unsigned long) idx, (unsigned long) cert_len);
333 
334 		if (idx == 0) {
335 			crypto_public_key_free(conn->server_rsa_key);
336 			if (tls_parse_cert(pos, cert_len,
337 					   &conn->server_rsa_key)) {
338 				wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
339 					   "the certificate");
340 				tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
341 					  TLS_ALERT_BAD_CERTIFICATE);
342 				x509_certificate_chain_free(chain);
343 				return -1;
344 			}
345 		}
346 
347 		cert = x509_certificate_parse(pos, cert_len);
348 		if (cert == NULL) {
349 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
350 				   "the certificate");
351 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
352 				  TLS_ALERT_BAD_CERTIFICATE);
353 			x509_certificate_chain_free(chain);
354 			return -1;
355 		}
356 
357 		if (last == NULL)
358 			chain = cert;
359 		else
360 			last->next = cert;
361 		last = cert;
362 
363 		idx++;
364 		pos += cert_len;
365 	}
366 
367 	if (conn->cred &&
368 	    x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
369 					    &reason, conn->disable_time_checks)
370 	    < 0) {
371 		int tls_reason;
372 		wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
373 			   "validation failed (reason=%d)", reason);
374 		switch (reason) {
375 		case X509_VALIDATE_BAD_CERTIFICATE:
376 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
377 			break;
378 		case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
379 			tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
380 			break;
381 		case X509_VALIDATE_CERTIFICATE_REVOKED:
382 			tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
383 			break;
384 		case X509_VALIDATE_CERTIFICATE_EXPIRED:
385 			tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
386 			break;
387 		case X509_VALIDATE_CERTIFICATE_UNKNOWN:
388 			tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
389 			break;
390 		case X509_VALIDATE_UNKNOWN_CA:
391 			tls_reason = TLS_ALERT_UNKNOWN_CA;
392 			break;
393 		default:
394 			tls_reason = TLS_ALERT_BAD_CERTIFICATE;
395 			break;
396 		}
397 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
398 		x509_certificate_chain_free(chain);
399 		return -1;
400 	}
401 
402 	x509_certificate_chain_free(chain);
403 
404 	*in_len = end - in_data;
405 
406 	conn->state = SERVER_KEY_EXCHANGE;
407 
408 	return 0;
409 }
410 
411 
412 static unsigned int count_bits(const u8 *val, size_t len)
413 {
414 	size_t i;
415 	unsigned int bits;
416 	u8 tmp;
417 
418 	for (i = 0; i < len; i++) {
419 		if (val[i])
420 			break;
421 	}
422 	if (i == len)
423 		return 0;
424 
425 	bits = (len - i - 1) * 8;
426 	tmp = val[i];
427 	while (tmp) {
428 		bits++;
429 		tmp >>= 1;
430 	}
431 
432 	return bits;
433 }
434 
435 
436 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
437 					const u8 *buf, size_t len,
438 					tls_key_exchange key_exchange)
439 {
440 	const u8 *pos, *end, *server_params, *server_params_end;
441 	u8 alert;
442 	unsigned int bits;
443 	u16 val;
444 
445 	tlsv1_client_free_dh(conn);
446 
447 	pos = buf;
448 	end = buf + len;
449 
450 	if (end - pos < 3)
451 		goto fail;
452 	server_params = pos;
453 	val = WPA_GET_BE16(pos);
454 	pos += 2;
455 	if (val == 0 || val > (size_t) (end - pos)) {
456 		wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
457 		goto fail;
458 	}
459 	conn->dh_p_len = val;
460 	bits = count_bits(pos, conn->dh_p_len);
461 	if (bits < 768) {
462 		wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
463 			   bits);
464 		wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime",
465 			    pos, conn->dh_p_len);
466 		goto fail;
467 	}
468 	conn->dh_p = os_malloc(conn->dh_p_len);
469 	if (conn->dh_p == NULL)
470 		goto fail;
471 	os_memcpy(conn->dh_p, pos, conn->dh_p_len);
472 	pos += conn->dh_p_len;
473 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)",
474 		    conn->dh_p, conn->dh_p_len);
475 
476 	if (end - pos < 3)
477 		goto fail;
478 	val = WPA_GET_BE16(pos);
479 	pos += 2;
480 	if (val == 0 || val > (size_t) (end - pos))
481 		goto fail;
482 	conn->dh_g_len = val;
483 	conn->dh_g = os_malloc(conn->dh_g_len);
484 	if (conn->dh_g == NULL)
485 		goto fail;
486 	os_memcpy(conn->dh_g, pos, conn->dh_g_len);
487 	pos += conn->dh_g_len;
488 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)",
489 		    conn->dh_g, conn->dh_g_len);
490 	if (conn->dh_g_len == 1 && conn->dh_g[0] < 2)
491 		goto fail;
492 
493 	if (end - pos < 3)
494 		goto fail;
495 	val = WPA_GET_BE16(pos);
496 	pos += 2;
497 	if (val == 0 || val > (size_t) (end - pos))
498 		goto fail;
499 	conn->dh_ys_len = val;
500 	conn->dh_ys = os_malloc(conn->dh_ys_len);
501 	if (conn->dh_ys == NULL)
502 		goto fail;
503 	os_memcpy(conn->dh_ys, pos, conn->dh_ys_len);
504 	pos += conn->dh_ys_len;
505 	wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)",
506 		    conn->dh_ys, conn->dh_ys_len);
507 	server_params_end = pos;
508 
509 	if (key_exchange == TLS_KEY_X_DHE_RSA) {
510 		u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
511 		int hlen;
512 
513 		if (conn->rl.tls_version == TLS_VERSION_1_2) {
514 #ifdef CONFIG_TLSV12
515 			/*
516 			 * RFC 5246, 4.7:
517 			 * TLS v1.2 adds explicit indication of the used
518 			 * signature and hash algorithms.
519 			 *
520 			 * struct {
521 			 *   HashAlgorithm hash;
522 			 *   SignatureAlgorithm signature;
523 			 * } SignatureAndHashAlgorithm;
524 			 */
525 			if (end - pos < 2)
526 				goto fail;
527 			if (pos[0] != TLS_HASH_ALG_SHA256 ||
528 			    pos[1] != TLS_SIGN_ALG_RSA) {
529 				wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm",
530 					   pos[0], pos[1]);
531 				goto fail;
532 			}
533 			pos += 2;
534 
535 			hlen = tlsv12_key_x_server_params_hash(
536 				conn->rl.tls_version, conn->client_random,
537 				conn->server_random, server_params,
538 				server_params_end - server_params, hash);
539 #else /* CONFIG_TLSV12 */
540 			goto fail;
541 #endif /* CONFIG_TLSV12 */
542 		} else {
543 			hlen = tls_key_x_server_params_hash(
544 				conn->rl.tls_version, conn->client_random,
545 				conn->server_random, server_params,
546 				server_params_end - server_params, hash);
547 		}
548 
549 		if (hlen < 0)
550 			goto fail;
551 		wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash",
552 			    hash, hlen);
553 
554 		if (tls_verify_signature(conn->rl.tls_version,
555 					 conn->server_rsa_key,
556 					 hash, hlen, pos, end - pos,
557 					 &alert) < 0)
558 			goto fail;
559 	}
560 
561 	return 0;
562 
563 fail:
564 	wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed");
565 	tlsv1_client_free_dh(conn);
566 	return -1;
567 }
568 
569 
570 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct,
571 					   const u8 *in_data, size_t *in_len)
572 {
573 	const u8 *pos, *end;
574 	size_t left, len;
575 	u8 type;
576 	const struct tls_cipher_suite *suite;
577 
578 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
579 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
580 			   "received content type 0x%x", ct);
581 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
582 			  TLS_ALERT_UNEXPECTED_MESSAGE);
583 		return -1;
584 	}
585 
586 	pos = in_data;
587 	left = *in_len;
588 
589 	if (left < 4) {
590 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange "
591 			   "(Left=%lu)", (unsigned long) left);
592 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
593 		return -1;
594 	}
595 
596 	type = *pos++;
597 	len = WPA_GET_BE24(pos);
598 	pos += 3;
599 	left -= 4;
600 
601 	if (len > left) {
602 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange "
603 			   "length (len=%lu != left=%lu)",
604 			   (unsigned long) len, (unsigned long) left);
605 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
606 		return -1;
607 	}
608 
609 	end = pos + len;
610 
611 	if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST)
612 		return tls_process_certificate_request(conn, ct, in_data,
613 						       in_len);
614 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
615 		return tls_process_server_hello_done(conn, ct, in_data,
616 						     in_len);
617 	if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) {
618 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
619 			   "message %d (expected ServerKeyExchange/"
620 			   "CertificateRequest/ServerHelloDone)", type);
621 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
622 			  TLS_ALERT_UNEXPECTED_MESSAGE);
623 		return -1;
624 	}
625 
626 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange");
627 
628 	if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) {
629 		wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed "
630 			   "with the selected cipher suite");
631 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
632 			  TLS_ALERT_UNEXPECTED_MESSAGE);
633 		return -1;
634 	}
635 
636 	wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len);
637 	suite = tls_get_cipher_suite(conn->rl.cipher_suite);
638 	if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon ||
639 		      suite->key_exchange == TLS_KEY_X_DHE_RSA)) {
640 		if (tlsv1_process_diffie_hellman(conn, pos, len,
641 						 suite->key_exchange) < 0) {
642 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
643 				  TLS_ALERT_DECODE_ERROR);
644 			return -1;
645 		}
646 	} else {
647 		wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange");
648 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
649 			  TLS_ALERT_UNEXPECTED_MESSAGE);
650 		return -1;
651 	}
652 
653 	*in_len = end - in_data;
654 
655 	conn->state = SERVER_CERTIFICATE_REQUEST;
656 
657 	return 0;
658 }
659 
660 
661 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct,
662 					   const u8 *in_data, size_t *in_len)
663 {
664 	const u8 *pos, *end;
665 	size_t left, len;
666 	u8 type;
667 
668 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
669 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
670 			   "received content type 0x%x", ct);
671 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
672 			  TLS_ALERT_UNEXPECTED_MESSAGE);
673 		return -1;
674 	}
675 
676 	pos = in_data;
677 	left = *in_len;
678 
679 	if (left < 4) {
680 		wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest "
681 			   "(left=%lu)", (unsigned long) left);
682 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
683 		return -1;
684 	}
685 
686 	type = *pos++;
687 	len = WPA_GET_BE24(pos);
688 	pos += 3;
689 	left -= 4;
690 
691 	if (len > left) {
692 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest "
693 			   "length (len=%lu != left=%lu)",
694 			   (unsigned long) len, (unsigned long) left);
695 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
696 		return -1;
697 	}
698 
699 	end = pos + len;
700 
701 	if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE)
702 		return tls_process_server_hello_done(conn, ct, in_data,
703 						     in_len);
704 	if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
705 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
706 			   "message %d (expected CertificateRequest/"
707 			   "ServerHelloDone)", type);
708 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
709 			  TLS_ALERT_UNEXPECTED_MESSAGE);
710 		return -1;
711 	}
712 
713 	wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest");
714 
715 	conn->certificate_requested = 1;
716 
717 	*in_len = end - in_data;
718 
719 	conn->state = SERVER_HELLO_DONE;
720 
721 	return 0;
722 }
723 
724 
725 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
726 					 const u8 *in_data, size_t *in_len)
727 {
728 	const u8 *pos, *end;
729 	size_t left, len;
730 	u8 type;
731 
732 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
733 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
734 			   "received content type 0x%x", ct);
735 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
736 			  TLS_ALERT_UNEXPECTED_MESSAGE);
737 		return -1;
738 	}
739 
740 	pos = in_data;
741 	left = *in_len;
742 
743 	if (left < 4) {
744 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone "
745 			   "(left=%lu)", (unsigned long) left);
746 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
747 		return -1;
748 	}
749 
750 	type = *pos++;
751 	len = WPA_GET_BE24(pos);
752 	pos += 3;
753 	left -= 4;
754 
755 	if (len > left) {
756 		wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone "
757 			   "length (len=%lu != left=%lu)",
758 			   (unsigned long) len, (unsigned long) left);
759 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
760 		return -1;
761 	}
762 	end = pos + len;
763 
764 	if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) {
765 		wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
766 			   "message %d (expected ServerHelloDone)", type);
767 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
768 			  TLS_ALERT_UNEXPECTED_MESSAGE);
769 		return -1;
770 	}
771 
772 	wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone");
773 
774 	*in_len = end - in_data;
775 
776 	conn->state = CLIENT_KEY_EXCHANGE;
777 
778 	return 0;
779 }
780 
781 
782 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn,
783 						 u8 ct, const u8 *in_data,
784 						 size_t *in_len)
785 {
786 	const u8 *pos;
787 	size_t left;
788 
789 	if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
790 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
791 			   "received content type 0x%x", ct);
792 		if (conn->use_session_ticket) {
793 			int res;
794 			wpa_printf(MSG_DEBUG, "TLSv1: Server may have "
795 				   "rejected SessionTicket");
796 			conn->use_session_ticket = 0;
797 
798 			/* Notify upper layers that SessionTicket failed */
799 			res = conn->session_ticket_cb(
800 				conn->session_ticket_cb_ctx, NULL, 0, NULL,
801 				NULL, NULL);
802 			if (res < 0) {
803 				wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket "
804 					   "callback indicated failure");
805 				tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
806 					  TLS_ALERT_HANDSHAKE_FAILURE);
807 				return -1;
808 			}
809 
810 			conn->state = SERVER_CERTIFICATE;
811 			return tls_process_certificate(conn, ct, in_data,
812 						       in_len);
813 		}
814 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
815 			  TLS_ALERT_UNEXPECTED_MESSAGE);
816 		return -1;
817 	}
818 
819 	pos = in_data;
820 	left = *in_len;
821 
822 	if (left < 1) {
823 		wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
824 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
825 		return -1;
826 	}
827 
828 	if (*pos != TLS_CHANGE_CIPHER_SPEC) {
829 		wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
830 			   "received data 0x%x", *pos);
831 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
832 			  TLS_ALERT_UNEXPECTED_MESSAGE);
833 		return -1;
834 	}
835 
836 	wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
837 	if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
838 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
839 			   "for record layer");
840 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
841 			  TLS_ALERT_INTERNAL_ERROR);
842 		return -1;
843 	}
844 
845 	*in_len = pos + 1 - in_data;
846 
847 	conn->state = SERVER_FINISHED;
848 
849 	return 0;
850 }
851 
852 
853 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
854 				       const u8 *in_data, size_t *in_len)
855 {
856 	const u8 *pos, *end;
857 	size_t left, len, hlen;
858 	u8 verify_data[TLS_VERIFY_DATA_LEN];
859 	u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];
860 
861 	if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
862 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
863 			   "received content type 0x%x", ct);
864 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
865 			  TLS_ALERT_UNEXPECTED_MESSAGE);
866 		return -1;
867 	}
868 
869 	pos = in_data;
870 	left = *in_len;
871 
872 	if (left < 4) {
873 		wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
874 			   "Finished",
875 			   (unsigned long) left);
876 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
877 			  TLS_ALERT_DECODE_ERROR);
878 		return -1;
879 	}
880 
881 	if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
882 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
883 			   "type 0x%x", pos[0]);
884 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
885 			  TLS_ALERT_UNEXPECTED_MESSAGE);
886 		return -1;
887 	}
888 
889 	len = WPA_GET_BE24(pos + 1);
890 
891 	pos += 4;
892 	left -= 4;
893 
894 	if (len > left) {
895 		wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
896 			   "(len=%lu > left=%lu)",
897 			   (unsigned long) len, (unsigned long) left);
898 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
899 			  TLS_ALERT_DECODE_ERROR);
900 		return -1;
901 	}
902 	end = pos + len;
903 	if (len != TLS_VERIFY_DATA_LEN) {
904 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
905 			   "in Finished: %lu (expected %d)",
906 			   (unsigned long) len, TLS_VERIFY_DATA_LEN);
907 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
908 			  TLS_ALERT_DECODE_ERROR);
909 		return -1;
910 	}
911 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
912 		    pos, TLS_VERIFY_DATA_LEN);
913 
914 #ifdef CONFIG_TLSV12
915 	if (conn->rl.tls_version >= TLS_VERSION_1_2) {
916 		hlen = SHA256_MAC_LEN;
917 		if (conn->verify.sha256_server == NULL ||
918 		    crypto_hash_finish(conn->verify.sha256_server, hash, &hlen)
919 		    < 0) {
920 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
921 				  TLS_ALERT_INTERNAL_ERROR);
922 			conn->verify.sha256_server = NULL;
923 			return -1;
924 		}
925 		conn->verify.sha256_server = NULL;
926 	} else {
927 #endif /* CONFIG_TLSV12 */
928 
929 	hlen = MD5_MAC_LEN;
930 	if (conn->verify.md5_server == NULL ||
931 	    crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) {
932 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
933 			  TLS_ALERT_INTERNAL_ERROR);
934 		conn->verify.md5_server = NULL;
935 		crypto_hash_finish(conn->verify.sha1_server, NULL, NULL);
936 		conn->verify.sha1_server = NULL;
937 		return -1;
938 	}
939 	conn->verify.md5_server = NULL;
940 	hlen = SHA1_MAC_LEN;
941 	if (conn->verify.sha1_server == NULL ||
942 	    crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN,
943 			       &hlen) < 0) {
944 		conn->verify.sha1_server = NULL;
945 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
946 			  TLS_ALERT_INTERNAL_ERROR);
947 		return -1;
948 	}
949 	conn->verify.sha1_server = NULL;
950 	hlen = MD5_MAC_LEN + SHA1_MAC_LEN;
951 
952 #ifdef CONFIG_TLSV12
953 	}
954 #endif /* CONFIG_TLSV12 */
955 
956 	if (tls_prf(conn->rl.tls_version,
957 		    conn->master_secret, TLS_MASTER_SECRET_LEN,
958 		    "server finished", hash, hlen,
959 		    verify_data, TLS_VERIFY_DATA_LEN)) {
960 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
961 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
962 			  TLS_ALERT_DECRYPT_ERROR);
963 		return -1;
964 	}
965 	wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
966 			verify_data, TLS_VERIFY_DATA_LEN);
967 
968 	if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
969 		wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
970 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
971 			  TLS_ALERT_DECRYPT_ERROR);
972 		return -1;
973 	}
974 
975 	wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");
976 
977 	*in_len = end - in_data;
978 
979 	conn->state = (conn->session_resumed || conn->use_session_ticket) ?
980 		CHANGE_CIPHER_SPEC : ACK_FINISHED;
981 
982 	return 0;
983 }
984 
985 
986 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct,
987 					const u8 *in_data, size_t *in_len,
988 					u8 **out_data, size_t *out_len)
989 {
990 	const u8 *pos;
991 	size_t left;
992 
993 	if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) {
994 		wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; "
995 			   "received content type 0x%x", ct);
996 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
997 			  TLS_ALERT_UNEXPECTED_MESSAGE);
998 		return -1;
999 	}
1000 
1001 	pos = in_data;
1002 	left = *in_len;
1003 
1004 	wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake",
1005 		    pos, left);
1006 
1007 	*out_data = os_malloc(left);
1008 	if (*out_data) {
1009 		os_memcpy(*out_data, pos, left);
1010 		*out_len = left;
1011 	}
1012 
1013 	return 0;
1014 }
1015 
1016 
1017 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct,
1018 				   const u8 *buf, size_t *len,
1019 				   u8 **out_data, size_t *out_len)
1020 {
1021 	if (ct == TLS_CONTENT_TYPE_ALERT) {
1022 		if (*len < 2) {
1023 			wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
1024 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1025 				  TLS_ALERT_DECODE_ERROR);
1026 			return -1;
1027 		}
1028 		wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
1029 			   buf[0], buf[1]);
1030 		*len = 2;
1031 		conn->state = FAILED;
1032 		return -1;
1033 	}
1034 
1035 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 &&
1036 	    buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) {
1037 		size_t hr_len = WPA_GET_BE24(buf + 1);
1038 		if (hr_len > *len - 4) {
1039 			wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow");
1040 			tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
1041 				  TLS_ALERT_DECODE_ERROR);
1042 			return -1;
1043 		}
1044 		wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest");
1045 		*len = 4 + hr_len;
1046 		return 0;
1047 	}
1048 
1049 	switch (conn->state) {
1050 	case SERVER_HELLO:
1051 		if (tls_process_server_hello(conn, ct, buf, len))
1052 			return -1;
1053 		break;
1054 	case SERVER_CERTIFICATE:
1055 		if (tls_process_certificate(conn, ct, buf, len))
1056 			return -1;
1057 		break;
1058 	case SERVER_KEY_EXCHANGE:
1059 		if (tls_process_server_key_exchange(conn, ct, buf, len))
1060 			return -1;
1061 		break;
1062 	case SERVER_CERTIFICATE_REQUEST:
1063 		if (tls_process_certificate_request(conn, ct, buf, len))
1064 			return -1;
1065 		break;
1066 	case SERVER_HELLO_DONE:
1067 		if (tls_process_server_hello_done(conn, ct, buf, len))
1068 			return -1;
1069 		break;
1070 	case SERVER_CHANGE_CIPHER_SPEC:
1071 		if (tls_process_server_change_cipher_spec(conn, ct, buf, len))
1072 			return -1;
1073 		break;
1074 	case SERVER_FINISHED:
1075 		if (tls_process_server_finished(conn, ct, buf, len))
1076 			return -1;
1077 		break;
1078 	case ACK_FINISHED:
1079 		if (out_data &&
1080 		    tls_process_application_data(conn, ct, buf, len, out_data,
1081 						 out_len))
1082 			return -1;
1083 		break;
1084 	default:
1085 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
1086 			   "while processing received message",
1087 			   conn->state);
1088 		return -1;
1089 	}
1090 
1091 	if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
1092 		tls_verify_hash_add(&conn->verify, buf, *len);
1093 
1094 	return 0;
1095 }
1096